After a very hot July, especially fruitful for critical vulnerabilities (1, 2, 3), Microsoft’s Patch Tuesday in August went relatively quiet. Yes, once again more than a hundred vulnerabilities were patched, yes, 17 flaws were rated as Critical, and Microsoft didn’t point at bugs of the “We All Doomed” level. Although back then security researchers drew attention to the Zerologon attack, the critical elevation of privilege flaw (CVE-2020-1472) that allows attackers to misuse the Netlogon Remote Protocol and gain administrator access to a domain controller.
Basically, the discovered CVE-2020-1472 (CVSS score: 10.0) gave the way to fraudsters to take command over the captured Domain Administrator account. The vulnerability was assigned the highest severity scoring by the Common Vulnerability Scoring System since there are actionable POC exploits and malicious activities connected to the CVE-2020-1472 exploitation are expected with a high degree of probability.
The CVE-2020-1472 vulnerability is directly related to the cryptographic algorithm used in Netlogon Remote Protocol. The vulnerability received its name due to the specificity of the exploitation when the starting variable, or initialization vector, was set to zeros instead of random numbers.
Technical Details about Zerologon Attack
Today security firm Secura has published the technical details behind Zerologon critical flaw, and evidence of the ease of exploitation of CVE-2020-1472 vulnerability has already begun to pour in. Zerologon allows a hacker to take command over the victimized domain controller. To establish a TCP session with a domain controller, the hackers are typically inside the network having physical access to the equipment, or have a standing point from outside the network. First, the fraudsters have to spoof the credentials of a computer on the company’s networks, which is possible in less than 256 attempts because of poor Initialization Vector of Netlogon Remote Protocol. Then, the hackers would disable the encryption transportation mechanism within MS-NRPC to clear the way for their further actions – change the password for the account which was initially used to get into the system so that the computer won’t be able to log in.
Security update and mitigation of CVE-2020-1472
Microsoft plans to solve the security issue in two phases, radically modifying the connection of devices within corporate networks.
The first one, the Initial Deployment Phase, started on August 11, 2020. It will last until Q1 2020 and during this time, updates will be released. To warn the administrators about vulnerable Netlogon connections allied to CVE-2020-1472 Microsoft added new EventIDs, along with updates for affected versions of Windows Server. Among them, the EventID 5829 was added to inform about vulnerable Netlogon connections.
On phase two – the Enforcement Phace – which is planned to start on February 9, 2021, with the updates installed, the Domain Controllers will deny vulnerable connections from devices using vulnerable Netlogon secure channel connections, except for allowed by group policy.
Technical details and detection of Zerologon attack
Now cybercriminals who compromised a system on an organization’s network can almost instantly gain access to a domain controller. Botnets such as Emotet or TrickBot, which provide access to infected systems to other groups, will become even more dangerous, and the time that ransomware gangs spend from the moment they sneak into the network until they start encrypting files will be significantly reduced.
Install the security update ASAP if you haven’t already. We also recommend downloading and deploying community rules by Adam Swan, our senior threat hunting engineer to detect Zerologon attacks: https://tdm.socprime.com/tdm/info/FgNYLnTxIVrs/7WbXfnQBSh4W_EKGaxL5/
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ELK Stack, RSA NetWitness, Splunk, LogPoint, Humio
Tactics: Lateral Movement
Techniques: Exploitation of Remote Services (T1210)
New rules for Zerologon attack (CVE-2020-1472 vulnerability) detection are being published at SOC Prime Threat Detection Marketplace.
Vulnerable Netlogon Secure Channel Connection Allowed by NVISO https://tdm.socprime.com/tdm/info/S4U7tNVmkwFr/Jp2DknQBPeJ4_8xcsU3h/?p=1
Anonymous User Changed Machine Password by Adam Swan, SOC Prime Team https://tdm.socprime.com/tdm/info/EPl2OKBmxbJ6/fHN5k3QBSh4W_EKG8VJB/?p=1#